A t the beginning of February, the New York Times announced that its computer systems had been attacked by hackers, it was claimed from China. The announcement was all too familiar. The litany of cyber attacks over the past ten years has begun to read like a Who’s Whoof public offices, companies and institutions.
The warnings have been many. According to a controversial report commissioned by the Cabinet Office, the UK is losing £27bn worth of intellectual property every year to unnamed foreign powers. The figures have been questioned, academics claim they are lower, possibly £20bn they say, but by all accounts they are still stupendous. If a foreign power was deteriorating the UK’s economic base using a bombing campaign at such a rate there would have been an immediate military response. The true scale of the problem of cyber crime is hard to quantify. In a speech in July 2012 General Alexander of the National Security Agency in the US, suggested that the total cost of loss of intellectual property to American companies alone was around $250bn a year.
However, even just using conservative reported figures, the numbers are huge. Again in the US, the Internet Crime Complaint Center recently put the cost of internet crime, based on complaints made to it, at just over $485m a year. Another way of assessing the financial scale of the problem is to look at the size of the computer security industry worldwide, which is currently valued at around $300bn annually.
Speaking at last month’s Cyber Summit in New York, Howard Schmidt – who until last summer was President Obama’s cyber czar – underlined this dependence.
“Think about the ticketing system with just one airline. Say it is just down, it’s not even been hit by a cyber attack; it doesn’t have to be malicious, it has just failed. In less than an hour they will have to start to divert planes to another airport. International planes that are coming in then start to divert. Think of the disruption that has occurred all because of the failure of a ticketing system in one airline.”
This dependence has delivered a potent weapon into the hands of those who do have malicious intent. In August 2007, for example, hackers took down the Estonian Government, which until that point had prided itself on being the most wired nation on earth. It was believed to have occurred in retaliation for the moving of the Bronze soldier of Talinn, a Second World War memorial that had become the meeting point for ethnic Russians protesting against the Estonian Government. The incident was one of the factors that convinced the UK Government to commit £650m to bolster the UK’s cyber defences.
Another more convincing discovery was the computer virus Stuxnet, which was found to have disabled centrifuges enriching uranium at Nantanz, part of the Iranian government’s nuclear programme. The discovery of Stuxnet sent shockwaves around the world. This was the first time that a computer virus had been found that was capable of physical destruction. Stuxnet was instantly dubbed both a stealth virus and weaponised software, and led those who examined it to claim that cyber weapons such as this cost as much to develop as a cruise missile and have a greater potential than a nuclear bomb.
It was a wake-up call that prompted a search for other variants. To date four more have been discovered, Flame, Mini-Flame, Gauss and Red October.
Flame turned computers in the Middle East into listening stations capable of collecting all of the information in the computers and remotely turning on microphones and other recording devices attached to the computers and then passing that back to the viruses controllers. Mini-flame was a smaller version of this that is believed to have been in circulation since 2003.
Gauss was similar, though it was targeted at banks in the Middle East, possibly in a bid to extract information about the flow of funds to terrorist groups.
Red October, discovered at the end of last year is even more impressive, targeted at embassies, governments and oil companies. Not only does it collect information and use a module that allows it to include mobile phones in its data collection activities, it can also undelete files from the memory sticks now routinely used to store data we want to carry around with us. This ability to undelete files, it is thought, enables the virus to cross the “air-gap” often used in places such as embassies to secure data. Thus embassy staff will use memory sticks to work on internet-enabled systems and then take information from those when they want to work on secure systems holding classified data. The undelete function would possibly enable Red October to collect any classified files that may have been worked on and then erased.
According to Raj Samani, chief technology officer of McAfee, interviewed on the online radio programme, PassWord, the company is now dealing with 60,000 new computer viruses a day and two million criminal websites a month. These are all intended to help criminals steal the data they need to get into our bank accounts.
There are around five super gangs whose internet-based activities mean that we are now in the era of the super criminal, crime gangs whose power is so great that they too now pose a threat to our lives and livelihoods because of their control of bot nets. Huge networks of infected computers sometimes numbering more than a million, they work by sending huge numbers of information requests to websites to bring them down usually for the purpose of extortion, but recently to degrade the effectiveness of a company’s web presence, possibly on behalf of a competitor.
It is a technique that in 2003 was used by an unknown group to collapse the internet itself by launching an attack at its backbone, preventing people from finding the sites they were searching for.
Up until now there has been little evidence that conventional terrorist organisations have sought to obtain a cyber weapon. However, there is some proof that Russian cybercriminals have had contact with Islamic groups to help them move money around, while in Chechnya it is claimed by intelligence experts that Islamic terrorists were receiving money for allowing “bullet proof servers” to be set up – computers housed away from interference from the authorities that criminals can use without fear they will be shut down.
Such links it is argued will mean that terrorists will at some point will obtain a cyber weapon from their criminal contacts. However, such a transfer, while possible, would be fraught with risk. Controlling a cyber weapon is difficult even for state actors. Stuxnet, for example, though targeted at Nantanz, still managed to take out power stations in India while also affecting the US oil company Chevron. These risks might deter organisations such as Al Qaeda given that there is the possibility that it might inadvertently cause damage to the computers of states that are its supporters. However such a concern is unlikely to deter a lonewolf terrorist similar to Timothy McVeigh who carried out the Oklahoma Bombing in which 168 people died because of his personal vendetta against the US government.
This say experts is the real worry, that an individual or small highly motivated group could obtain a cyber weapon and use it without realising the consequences.
It is a very real possibility and one the UK is woefully ill-prepared for. At the moment there is a shortfall of 4,000 qualified people to combat the cyber attack we are sustaining, according to Mark Raeburn, chief executive of Context, a cyber security company. This needs to change. Cybercrime is big business where the risks are very real.
Peter Warren is chair of the Cyber Security Research Institute; Jane Whyatt is researcher of Angel Media Productions